RHEL 7.x and SSSD and /etc/resolv.conf

Ran into an interesting situation with /etc/resolv.conf with “options rotate timeout:1” set with SSSD in regards to DNS lookups and nameservers not being up and SSSD marking an entire domain down. With this specific situation the last server in /etc/resolv.conf had been left down by accident following a reconfiguration of VMWare. When the servers were brought back up one of the BIND Servers were left down. This server being down and being last in the list caused SSSD to mark the krb5 authentication server as offline. As for the resolv.conf bug Redhat is fixing it as described here. SSSD only uses resolv.conf to get its list of nameservers it does not use glibc to perform name lookups. It uses its own internal lookup mechanism which is bounded by a handful of properties in my case these 3 properties below being set to default caused SSSD to mark the domains offline and cause access to be denied.

Note: These sssd.conf properties would be set on each domain.

• dns_resolver_op_timeout = 15
• dns_resolver_timeout = 30
• krb5_auth_timeout = 35

Here are a few links explaining how these properties should be tuned to prevent SSSD from marking a domain offline while a DNS Server is offline.

• https://pagure.io/SSSD/sssd/issue/3217
• https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/thread/UU4UP4QIP7A5Y75Y4UUTVHTI3GOPB5ZG/
• https://pagure.io/SSSD/sssd/issue/976